Make explicit_policy handling match expected RFC3280 behaviour.
authorDr. Stephen Henson <steve@openssl.org>
Sat, 2 Aug 2008 11:16:35 +0000 (11:16 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 2 Aug 2008 11:16:35 +0000 (11:16 +0000)
crypto/x509v3/pcy_tree.c

index c8bfa37..b1ce77b 100644 (file)
@@ -130,11 +130,11 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        ret = 2;
                if (explicit_policy > 0)
                        {
-                       explicit_policy--;
-                       if (!(x->ex_flags & EXFLAG_SI)
-                               && (cache->explicit_skip != -1)
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               explicit_policy--;
+                       if ((cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
-                               explicit_policy = cache->explicit_skip + 1;
+                               explicit_policy = cache->explicit_skip;
                        }
                }